What are SME cybersecurity issues by sector?

While threat detection continues to improve, the widening cybersecurity skills gap is exposing businesses. This is a problem that is acutely felt by SMEs who are forced to limit their spending due to the current economic climate. With this in mind, we recently surveyed over 700 SMBs in various sectors to ascertain their ability to detect and respond to the latest cyberthreats. The difference is stark. While some sectors have high confidence in their internal cybersecurity skills, others prefer to outsource significant cybersecurity to external experts to ensure they are protected.

Let’s look at each sector in detail:

• Business and professional services

Data shows that more than a quarter (26%) of business and professional services SMEs have little or no confidence in their internal cybersecurity expertise. Less than a third (31%) have little confidence in their team’s understanding of the latest threats. Furthermore, a third (33%) believe they will struggle to pinpoint the root cause of a cyberattack.

Nearly 4 in 10 (38%) of SMEs in the business and professional services category manage their security at home, slightly more than the average SME (34%). More than half (54%) prefer to outsource. However, an additional 8% want to outsource their cybersecurity in the next 12 months.

Only 24% of business and professional services SMEs prefer to maintain their security management, the lowest of all sectors surveyed. Over a quarter (26%) prefer to outsource to one security provider and 40% choose to outsource to multiple providers.

Nearly 3 in 10 (29%) of SMEs operating in financial services have little or no confidence in their internal cybersecurity expertise. More (36%) have little or no confidence in their employees’ understanding of cybersecurity threats. However, only 26% of financial services SMEs believe they will struggle to determine the root cause of cyberattacks, less than the average SMB (29%).

Only 28% of financial services SMEs manage their own security, the lowest of all the sectors we surveyed. In contrast, almost two-thirds (65%) outsource it, far more than the average SME (59%).

More than a quarter (26%) of financial services SMEs indicated a preference for maintaining their security management. The same number prefer to outsource to one provider, while 39% prefer to outsource their security to multiple providers.

• Manufacturing and Industry

A third (33%) of manufacturing and industrial SMBs have little or no confidence in their internal cybersecurity expertise, far more than the average SMB (25%). Four in 10 (40%) have little or no confidence in their employees’ understanding of security threats, more than any other sector. However, only 29% are concerned that they will struggle to pinpoint the root cause of a cyberattack if the worst happens.

Only 3 in 10 (30%) manufacturing and industrial SMEs manage their own security. More than twice as many (63%) prefer to outsource their security, the second highest of any sector.

A third (33%) of SMBs in both manufacturing and industrial verticals show a preference for maintaining their cybersecurity management, the most from any sector. Only 24% prefer to outsource to one security provider, and 35% outsource to multiple providers.

• Retail, wholesale and distribution

Four in five (80%) retail, wholesale and distribution SMEs have moderate or high confidence in their internal cybersecurity expertise, most from any sector. This is much more convincing in the cybersecurity expertise of IT teams than seen in the manufacturing sector (67%). Three-quarters (74%) of retail, wholesale and distribution SMEs also have moderate or high confidence in their employees’ understanding of security threats, compared to only 64% of financial services SMEs. Similarly, more retail, wholesale and distribution SMEs (79%) are more confident in their ability to pinpoint the root causes of attacks than any other sector.

More than 4 in 10 (41%) retail, wholesale and distribution SMEs manage their cyber security internally, most from any sector. Because of this, currently only 53% outsource their security. However, 6% would like to do so in the next year.

About 3 in 10 (31%) retail, wholesale and distribution SMEs indicated a preference for maintaining their security management. The same number would prefer to outsource to one security provider, and a further 28% would outsource to multiple providers.

A quarter (25%) of tech and telecommunications SMEs have little or no confidence in their internal cybersecurity expertise. However, more SMEs in this sector (78%) have moderate or high confidence in their employees’ understanding of security threats than other SMEs. More than three-quarters (77%) also believe in their ability to determine the root cause in the event of an attack.

Perhaps unsurprisingly, more tech and telecom SMBs (37%) manage their cybersecurity internally than the average SMB (34%). However, more outsource their security than retail businesses (58% versus 53%).

Three in 10 (31%) tech and telecommunications SMEs indicated a preference for maintaining their security management. In contrast, 23% prefer to outsource to one provider, and 36% outsource to multiple security providers.

False sense of security?

While SMEs in certain sectors have a higher level of trust and a different approach to their cybersecurity management than others, often these SMEs manage their cybersecurity entirely in-house and thus may have too much of a sense of security. If in-house management is in place, regular third-party security audits are recommended and regular creation and updating of security policies.

ESET’s 2022 SME Digital Security Sentiment Report sends a clear message about where this growing need is driving SMBs. 32% of SMBs surveyed reported using endpoint detection and response (EDR), extended detection and response (XDR), or managed detection and response (MDR), and 33% plan to leverage these technologies within the next 12 months. With the majority of SMEs in technology and telecommunications (69%), manufacturing and industrial (67%), and financial services (74%) preferring to outsource their security needs, the question that remains elusive from this survey is: What is the specific type of business in this vertical prioritize continuous in-house management, and what are their specific reasons?